This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
How to not store the key files with the keychain on dropbox?
Is there a way to prevent the keyfiles (e.g. I'm assuming 1password.keys) to be located elsewhere than in the 1Password.agilekeychain directory when saved on Dropbox? If they keyfile is simply encrypted with one's human rememberable password, and someone is able to get your 1Password.agilekeychain, then wouldn't that reduce the security of your passwords to a human password? I'd rather keep the keyfile separate from the keychain itself if its stored in the cloud.
Flag
0
Comments
-
Welcome to the forums, css! Thanks for asking about this.
The main thing to keep in mind is that [b]your master password is not stored anywhere in your data file[/b]. So, in order for someone to have access to your data they need to know your master password. There is [b]not a way to discover your master password by reverse engineering your 1password.keys file[/b]. When you enter your master password, 1Password attempts to decrypt the encryption key which is 1024 bytes of random data generated when the data file was created. If the master password is correct, then the key is provide. Otherwise, nothing is returned.
The only way to crack your data file would be by brute force attack which is greatly hindered by the length of your master password and the [url="http://en.wikipedia.org/wiki/Key_strengthening"]key strengthening[/url] function [url="http://en.wikipedia.org/wiki/PBKDF2"]PBKDF2[/url]. From our "[url="http://help.agile.ws/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the Cloud[/url]" document:
[quote][PBKDF2] protects your data against password guessing (password cracking) programs in a number of ways. Before we can explain how that works, you need to know a bit more of what 1Password does when it decrypts your data. Your data is not directly encrypted with your master password. Instead it is encrypted with a random 128-bit number that was picked when 1Password first created your Agile keychain. That 128-bit number is your true decryption key. This key, in turn, is encrypted using your master password.
The computation (AES-128) to get from your decryption key to your data is designed to be quick; but the computation (PBKDF2) to get from your master password to your actual decryption key is designed to be slow. This means that when you enter in your master password you have to wait a fraction of a second. That fraction of a second, however, makes it enormously harder for automated guessing programs. Without PBKDF2 well designed automatic password guessing programs can try [url="http://blog.crackpassword.com/2010/12/blackberry-password-cracking-multi-threaded-with-hardware-accelerated-aes/"]millions of passwords per second[/url], but with this key strengthening this is reduced to a few hundred per second. Another consequence of this system is that even if two people use the same master password, they will have different encryption keys and so their data will be encrypted differently.[/quote]
I encourage you to read the document in its entirety.
One other point that I believe is worth making is that 1password.keys is necessary to decrypt your data file. If that file is not present, [b]Dropbox syncing will not work[/b]. You would only be able to access your data on the computer where 1password.keys was available (assuming we did add an option to point to an external 1password.keys file).
At this time it is not possible to locate the 1password.keys file outside of the data file, and I hope the above explanation helps show why it would not be advantageous to do so in the future.
It is great that you are thinking about these sorts of things. Please keep your questions and comments coming. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />Flag 0 -
Yes, I saw that document, it was the basis of my question.
[quote name='khad' timestamp='1303606130' post='25500']
The only way to crack your data file would be by brute force attack which is greatly hindered by the length of your master password and the [url="http://en.wikipedia.org/wiki/Key_strengthening"]key strengthening[/url] function [url="http://en.wikipedia.org/wiki/PBKDF2"]PBKDF2[/url]. From our "[url="http://help.agile.ws/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the Cloud[/url]" document:
[/quote]
This is sort of my point, the master password is pretty significant, and you may not need to brute force a human rememberable password anyway. If I pick the password "ducks2000", PBKDF2 will still help, but the password is pretty flawed to begin with. Programs such as John the Ripper know of many common patterns people use for passwords, this pattern included. There's also a social engineering aspect, maybe I'm a bird watcher and there's pictures of birds in my dropbox. Even RSA has highlighted this in the wake of their break in. At 1000 tries/s you'd just have to get to the D's in the dictionary + the 2 seconds it takes to increment a number at the end of the password from 1 to 2000.
So anyway, my point was that I'd rather just have a 1024bit key in addition to my PBKDF2'ed password, and have that stored only on the systems I use 1Password on, not in the cloud. That way I can use a "relaxed" password on my systems, one I won't forget after a 3 week vacation, and also not care about the dropbox security debate. I understand the reasoning behind making it simpler, it could be confusing to users, but it would nice to be able to have the option (like TrueCrypt, CrashPlan, Keepass, SSH even).
My 2c anyway... Thanks for listening!Flag 0 -
Ah. It sounds like you are looking for something more along the lines of "encryption keys on a USB flash drive or stored locally but outside of the data file" then. Might I point you to a [url="http://forum.agile.ws/index.php?/topic/3605-feature-request-keyfile-support/"]thread already in progress[/url]?
Please also keep in mind that just as we won't force users to use a strong master password, we wouldn't force users to use such a feature if/when we add it, so the overall security does not change for users who use weak passwords. The best tool we have is usually [url="http://forum.agile.ws/index.php?/topic/1774-choosing-a-good-master-password/"]education[/url].
Thanks again for the feedback! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />Flag 0 -
[quote name='khad' timestamp='1303707691' post='25581']
Ah. It sounds like you are looking for something more along the lines of "encryption keys on a USB flash drive or stored locally but outside of the data file" then. Might I point you to a [url="http://forum.agile.ws/index.php?/topic/3605-feature-request-keyfile-support/"]thread already in progress[/url]?
[/quote]
More like that thread, yes. I wouldn't want it to be on a USB flash drive necessary, just a flat file on the file system is fine in my case. The problem with things like Yubikey and other keycard based systems is that it's hard to use multiple computers at the same time with them, and there's often a driver that has to be installed -- and you might find yourself on an OS the vendor doesn't support, or supports very poorly. FYI.
[quote]
Please also keep in mind that just as we won't force users to use a strong master password, we wouldn't force users to use such a feature if/when we add it, so the overall security does not change for users who use weak passwords. The best tool we have is usually [url="http://forum.agile.ws/index.php?/topic/1774-choosing-a-good-master-password/"]education[/url].
Thanks again for the feedback! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
[/quote]
That's what's a little concerning, there are probably users who are using poor passwords with dropbox and don't realize that 1Password isn't able to protect them as much as they think. They could have their bank or medical password in there too. Not to mention the urls of their websites being in clear text also could help an attacker narrow down an attack to something relevant to the user. I think the thing is that even if you use good algorithms and implementations, that's not the end of the story.
Anyway, once there's a key file I'd totally buy 1Password, it looks really great.
Thanks!Flag 0 -
Hi all,
I'm sorry for coming to this fascinating discussion so late.
The advantages of having the encrypted key file separate from the rest of the data are pretty much the same as the advantages of two factor authentication. (Two factor authentication happens to be a topic I've been writing up for our blog, those that article isn't ready yet.)
To decrypt the data, you need the data file, the master password, and the key file. If these are all stored separately (the master password is stored only in your head) then an attacker needs to get all three. But if the key file is stored within the data file/folder (as it is now) the attacker "only" needs to get hold of that data file and figure out your master password.
So, it is certainly true that this would add to the security of your 1Password data.
The disadvantages are substantial. It would make using 1Password significantly more complicated for most users, particularly those who syncing there data from one system to another. They would need a separate channel to transport their key file.
It also substantially increases the [url="http://blog.agile.ws/2011/04/keeping-your-data-at-your-finger-tips-part-i/"]risk of data loss[/url]. If you lose your keyfile, you will be locked out of your data forever. Currently 1Password on the desktop makes backups your data file into a separate folder on your computer. If those backups don't include the encrypted key, then they can not be used as full backups. You would need to back up the key file separately. If the backups contained both the key file along with the data, then we are pretty much back where we started.
These disadvantages (other than the additional complexity to the system) may not be insurmountable. But I would find this line of development more tempting were it not for the fact that users who wish to increase the security of their 1Password data stored in the cloud (or anywhere) have a much simpler option: They can add an extra character or two to their master password.
With PBKDF2, the effectiveness of password cracking tools like "john the ripper" is dramatically impaired. This is what PBKDF2 was invented for. In our [url="http://blog.agile.ws/2011/04/looking-ahead-in-security/"]up-coming data format[/url] the number of PBKDF2 iterations will be increased. This will mean that small improvements to a master password will have even greater effect. (As a side note, I sometimes run john the ripper against some of my own passwords, but I do that without PBKDF2.)
We'd would never rule out css' proposal. It is a very interesting idea with some real advantages, and we should always be thinking about how we can improve things. But at this point it is safe to say that we are inclined to keep authentication to 1 (really good) Password.
Cheers,
-jFlag 0 -
Welp...
1) A "really good" master password is sufficient with PBDKF2
Yep, I'd agree. Though if a key file would be too complex or risky, I'm not seeing how remembering a complex password without writing it down incase you forget it is any different.
You're also assuming that a brute force attack is also the only way to find a password, and my point is that in some cases it really isn't. Also changing a password by one letter is a known poor practice, and some systems will actually detect you did that when setting a password, see Linux's cracklib.
2) How do you get the key file to different places?
I just copy it:
My Mac -> USB -> Phone
Phone -> USB -> My other Mac at some other location
Doesn't seem too hard for someone who would want the additional peace of mind.
3) How do you back it up?
My computer is backed up normally to a cloud provider which allows me to use a key; if I need to recover from a catastrophic HD failure, I simply have a recovery disk with the key on it. No different than how I would recover my Toshiba laptop; Toshiba's software just creates a recovery CD for me with the data I need on it.
Anyway, it seems pretty simple, but I obviously 1Password isn't the right software for me. Thanks for the follow ups.Flag 0 -
[quote name='css' timestamp='1303890846' post='25725']
1) A "really good" master password is sufficient with PBDKF2
Yep, I'd agree. Though if a key file would be too complex or risky, I'm not seeing how remembering a complex password without writing it down incase you forget it is any different.
[/quote]
A master password constructed with diceware of three or four words should be both strong and memorable, but I have to acknowledge that most users aren't going to use diceware to construct a master password. So I suppose that your point stands.
[quote]
You're also assuming that a brute force attack is also the only way to find a password, and my point is that in some cases it really isn't.[/quote]
I certainly believe that our choice of algorithms and protocols are such that the best option for an attacker is to brute force the master password, but I am open to persuasion. If I'm wrong about this, I would certainly like to know.
[quote]Also changing a password by one letter is a known poor practice, and some systems will actually detect you did that when setting a password, see Linux's cracklib.[/quote]
This is true for passwords that may have been captured by some other means. Having a password for "Sekret1" and changing it to "Sekret2" when told change passwords is, indeed, a bad idea. But the reasons why people are told to change passwords for many systems aren't applicable to 1Password master passwords, so simply adding a character or two to a 1Password master password is, typically, a reasonable strategy.
[quote]
2) How do you get the key file to different places?
I just copy it:
My Mac -> USB -> Phone
Phone -> USB -> My other Mac at some other location
Doesn't seem too hard for someone who would want the additional peace of mind.
[/quote]
Noted. I'm not ruling out having a configuration option that puts the keys file out-side of the core data, but I don't see this as something that we would implement in the near future.
[quote]
3) How do you back it up?
My computer is backed up normally to a cloud provider which allows me to use a key; if I need to recover from a catastrophic HD failure, I simply have a recovery disk with the key on it.
[/quote]
I completely agree that ones normal backup plans would cover this, but I was referring specifically to the internal backups that 1Password makes.
[quote]
Anyway, it seems pretty simple, but I obviously 1Password isn't the right software for me. Thanks for the follow ups.
[/quote]
You are very welcome. I wish you well in finding what you are looking for.
In a sense, our disagreement really isn't so much about technical matters (although there still is some of that). As a long time user of SSH and PGP, I am very familiar with keeping a key file in a separate location under my control. But I think that where we may not be meeting your expectations is about the fact that we don't like adding complicating features and options that only a small number of users would make use of. Our goal is to make good security easy.
Again, even though you are not happy with some of our choices, I really like discussions like this, and would encourage you to hang around here. We need critics as well as fans.
Cheers,
-jFlag 0 -
Here are my last thoughts...
While you agree that a keyfile would give better protection against poor passwords, your concernes are about protecting the user experience and spending dev time where it makes the most sense. As you should.
However the user is relying on you to protect them, and 1Password does let you pick terrible master passwords, and the countermeasures you've taken won't help much in some cases. I would at least put in a warning to the end user that their password may not be good enough. e.g. I was able to set my master password to "a" without any complaints from 1Password.
Also, rather than seeing the extra protection of a keyfile being a complicating factor, it would be better to innovate and make it fun; how can you get the user the best possible protection, while making it an enjoyable experience? That really adds value to a product when you can get more people taking advantage of more sophisticated technology without requiring an expert. Apple does this all the time, and it's a brand differentiator for them.
For example, on the unlock screen you could simply put two keys, and a picture of the automator robot turning the key with you. I think most everyone would grasp the cold war analogy of turning two keys in unison. That seems like a starting analogy that would be easy and fun to run with.
Best.Flag 0 -
[quote]Yep, I'd agree. Though if a key file would be too complex or risky, I'm not seeing how remembering a complex password without writing it down incase you forget it is any different.[/quote]
Security expert Bruce Schneier has been saying for years that [url="http://www.schneier.com/blog/archives/2005/06/write_down_your.html"]people [i]should[/i] write down their password[/url]:
[quote name="Bruce Schneier"]Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.[/quote]
While the bulk of your passwords can be stored in 1Password itself, the above is a possible method to render the complexity/length of your master password irrelevant. Of course, it is also possible to use long [i]memorable[/i] passwords through a variety of methods: diceware, pronounceable passwords, etc. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />
[quote]I would at least put in a warning to the end user that their password may not be good enough. e.g. I was able to set my master password to "a" without any complaints from 1Password.[/quote]
I think this is a great idea. Perhaps we can add some kind of warning or password strength meter to master password creation in the future! I think this goes back to my earlier post which mentioned the importance of education. A visual indicator during the setup process could be a great way to do this.
[quote]I think most everyone would grasp the cold war analogy of turning two keys in unison. [/quote]
I certainly wouldn't make any connection to "Cold War." Not everyone was alive back then. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />
Seriously, though, thanks for the additional feedback. We really do appreciate it!Flag 0 -
[quote name='khad' timestamp='1304055738' post='25857']
I certainly wouldn't make any connection to "Cold War." Not everyone was alive back then. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/laugh.gif' class='bbc_emoticon' alt=':lol:' />
[/quote]
But you've surely seen "War Games". I'm off to play global thermonuclear war.
Cheers,
-jFlag 0